private async Task _validateAuthorizationCodeFlow(ValidateAuthorizationRequestContext context) { authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>(); if (authservice == null) { context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request"); return; } if (string.IsNullOrEmpty(context.RedirectUri)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidRequest, description: "The required redirect_uri parameter was missing."); return; } if (!(await authservice.CheckClientIdExists(context.ClientId))) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidClient, description: "Supplied Client Id was not a valid application Client Id."); return; } if (!(await authservice.CheckRedirectURIMatches(context.RedirectUri, context.ClientId))) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied Redirect URI was not valid for the supplied Client Id."); return; } if (!(await authservice.CheckScopesAreValid(context.Request.Scope))) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied scopes were was not valid Spotify Scopes."); return; } context.Validate(); }
private async Task _validateClientCredentialsTokenRequest(ValidateTokenRequestContext context) { // TODO increment user rate limit (nb this increment only happens in Validate) authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>(); if (authservice == null) { context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request"); return; } if (String.IsNullOrWhiteSpace(context.ClientId)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Missing credentials: ensure that you specified a client_id."); return; } else if (String.IsNullOrWhiteSpace(context.ClientSecret)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidClient, description: "Missing credentials: ensure that you specified a client_secret."); return; } else if (!(await authservice.CheckClientIdExists(context.ClientId))) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidClient, description: "Supplied Client Id was not a valid application Client Id."); return; } else if (!(await authservice.CheckSecretMatchesId(context.ClientId, context.ClientSecret))) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied Secret was not correct for the Client Id."); return; } context.Validate(); }
public override async Task HandleTokenRequest(HandleTokenRequestContext context) { authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>(); if (authservice == null) { context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request"); return; } if (context.Request.IsRefreshTokenGrantType()) { await _handleRefreshToken(context); return; } else if (context.Request.IsAuthorizationCodeGrantType()) { await _handleAuthorizationToken(context); return; } else if (context.Request.IsImplicitFlow()) { await _handleImplicitCredentialsToken(context); return; } else if (context.Request.IsClientCredentialsGrantType()) { await _handleClientCredentialsToken(context); return; } context.Reject( error: OpenIdConnectConstants.Errors.UnsupportedGrantType, description: "Only authorization code, client credentials, and implicit grants " + "are accepted by this authorization server"); return; }
private async Task _validateRefreshTokenRequest(ValidateTokenRequestContext context) { authservice = context.HttpContext.RequestServices.GetRequiredService <IValidateAuthorizationService>(); if (authservice == null) { context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request"); return; } IRateLimitService rls = context.HttpContext.RequestServices.GetRequiredService <IRateLimitService>(); if (rls == null) { context.Reject(OpenIdConnectConstants.Errors.ServerError, "Failed to validate this authorization request"); return; } // TODO increment user rate limit (nb this increment only happens in Validate) if (String.IsNullOrWhiteSpace(context.Request.RefreshToken)) { context.Reject( error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Missing parameter: ensure that you specified a refresh_token."); } AuthenticateResult ar = await context.HttpContext.AuthenticateAsync(OpenIdConnectServerDefaults.AuthenticationScheme); AuthenticationTicket at = ar.Ticket; if (ar == null) { context.Reject(); return; } else if (ar.Principal == null) { context.Reject(error: OpenIdConnectConstants.Errors.InvalidRequest, description: "Supplied refresh token was not valid"); return; } else if (ar.Principal.Identity == null) { context.Reject(); return; } else if (!ar.Principal.Identity.IsAuthenticated) { context.Reject(); return; } /** here we do the legwork of validating that: * the client application still exists, * the supplied secret still matches, * the user's refresh and access tokens haven't been revoked, * the user isn't rate limited */ List <Claim> claims = ar.Principal.Claims.ToList(); var gtype = claims.Find(x => x.Type == "grant_type"); var userid = claims.Find(x => x.Type == "sub"); var clientSecret = context.ClientSecret; if (gtype == null || string.IsNullOrWhiteSpace(gtype.Value)) { context.Reject(); } if (userid == null || string.IsNullOrWhiteSpace(userid.Value)) { context.Reject(); } if (!await authservice.CheckClientIdExists(context.ClientId)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client id no longer exists."); return; } else if (!await authservice.CheckSecretMatchesId(context.ClientId, context.ClientSecret)) { context.Reject(OpenIdConnectConstants.Errors.InvalidClient, "The supplied client secret is no longer valid."); return; } else if (!await authservice.CheckTokenNotRevoked(gtype.Value, context.Request.RefreshToken)) { context.Reject(OpenIdConnectConstants.Errors.AccessDenied, "The supplied token has been revoked. Please re-authenticate."); } //TODO come back to this - rls is no longer our preferred service. _mc.RateLimits should be our goto else if (!(await rls.UserWithinRateLimit(userid.Value)) && !(await rls.UserWithinAppRateLimit(context.ClientId, userid.Value, gtype.Value))) { context.Reject(RateLimits.RateLimitExceededError, RateLimits.RateLimitExceededErrorDescription); return; } await rls.IncrementUserAPICallCount(userid.Value, context.ClientId); context.Validate(); }